Re: HOWTO Logging tcp binding on permissive mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





2011/1/24 François Chenais <francois.chenais@xxxxxxxxx>


2011/1/24 Dominick Grift <domg472@xxxxxxxxx>

On Mon, Jan 24, 2011 at 09:49:01AM +0100, François Chenais wrote:
> Hello,
>
>
> I would like to log process binding on tcp ports > 1023.

something like this may work:

mkdir mytest; cd mytest; echo "policy_module(mytest, 1.0.0) gen_require(\` attribute domain, userdomain, port_type; ') auditallow { userdomain domain } port_type:tcp_socket name_bind;" > mytest.te; make -f /usr/share/selinux/devel/Makefile mytest.pp; sudo semodule -i mytest.pp

Then any attempts to bind tcp_sockets to port_type ports by domain as well as userdomain will be logged in /var/log/audit/audit.log.

Coool ! Thanks a lot, I'm trying it now ...

 
You may, or may not, be able to do similar things by using the audit suite instead (man auditctl)


Yes but I can't find how to restrict the audit on a specific port number :/


   auditctl -d exit,always   -S bind  -k BIND



-a and not -d !!

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux